- A third-party breach exposed certain Vimeo user and customer data
- The information accessed included metadata and some email addresses, but not video content or payment information
- Vimeo disabled the integration, engaged external investigators and was threatened with ransom demands
Popular video platform Vimeo has notified users that some of their data may have been accessed by malicious third parties.
In a security incident notice published on the company’s website, Vimeo said the unauthorized data access came as a result of the Anodot breach. Anodot is an AI-powered, cloud-based analytics platform that hunts down business events and anomalies in real-time, helping companies identify sudden drops in sales, cost increases or technical failures before they significantly impact the organization and its customers.
In early April 2026, it was reported that ShinyHunters broke into, and through the third-party integration features, gained access to Anodot’s users’ Snowflake accounts. Apparently, more than a dozen companies were affected, but the only confirmed victim so far is Rockstar Games, the company behind the famous Grand Theft Auto and Red Dead Redemption game series – but now Vimeo has stated that it was also affected by this attack.
The article continues below
Confirmed Anodot event
“We have identified that as a result of the Anodot breach, an unauthorized actor gained access to certain Vimeo user and customer data,” the announcement reads. “Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata and, in some cases, customer email addresses.”
Vimeo did not say how many people were affected by the attack, but emphasized that video content, valid user login credentials, and payment card information were not accessed.
“Vimeo user and customer login information is secure. This incident did not cause any disruption to our systems or service,” it concluded.
After the discovery, Vimeo disabled all Anodot credentials, removed the integration, and brought in a third-party security firm to help with the autopsy. The police have also been notified.
The attack was claimed by ransomware actors ShinyHunters, who said they would publish the stolen files unless the company pays a ransom by April 30, 2026.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
